CN106656975A - Attack defense method and attack defense device - Google Patents
Attack defense method and attack defense device Download PDFInfo
- Publication number
- CN106656975A CN106656975A CN201610905498.5A CN201610905498A CN106656975A CN 106656975 A CN106656975 A CN 106656975A CN 201610905498 A CN201610905498 A CN 201610905498A CN 106656975 A CN106656975 A CN 106656975A
- Authority
- CN
- China
- Prior art keywords
- module
- attack
- message
- characteristic information
- defence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the invention provides an attack defense method and an attack defense device. The method comprises steps: a defense packet from a first module is received, wherein the defense packet carries feature information for describing the attack; whether a second module associated with the first module is recorded in an anti-attack table entry is retrieved; and if yes, the feature information is transmitted to the second module to enable the second module to carry out defense processing on a received packet matched with the feature information according to the feature information. Thus, during the anti-attack process, through linkage defense among related modules, the defense ability of the device is greatly improved, communication among modules is reduced, the system burden is effectively lessened, and the resource utilization rate and the user experience are improved.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of attack defense method and device.
Background technology
At present cyber-attack is increasingly frequent so that some network equipments occur in that more problem in Web vector graphic.In order to
Strengthen the anti-attack ability of the network equipment, the solution that prior art is mainly taken is:In the network device, for different
Attack pattern and attack meanses carry out specific aim defence.
Prior art when attack defending is carried out, due to the defence process between each defense module it is separate, therefore respectively
Linkage between defense module is poor, so as to cause the wasting of resources, the even low problem of defence capability.
The content of the invention
Embodiment of the present invention technical problem to be solved is to provide a kind of attack defense method, to improve resource utilization
And the attack defending ability of equipment.
In order to solve the above problems, the embodiment of the invention discloses a kind of attack defense method, including:
The defence message from the first module is received, defends to carry the characteristic information attacked for description in message;
The second module being associated with the first module whether is recorded in retrieval attack protection list item;
If so, then characteristic information is sent into the second module so that the second module according to characteristic information to receive with
The message that characteristic information matches is on the defensive process.
Accordingly, the embodiment of the present invention additionally provides a kind of attack defending device, to ensure said method realization and
Using device includes:
First receiver module, for receiving the defence message from the first module, carries for describing in defence message
The characteristic information of attack;
Retrieval module, for retrieving attack protection list item in whether record the second module being associated with the first module;
Sending module, for if so, then characteristic information being sent into the second module, so that the second module is according to characteristic information
It is on the defensive process with the message that characteristic information matches to receiving.
So, in the embodiment of the present invention, by receiving the defence message from the first module, in defence message use is carried
In the characteristic information that description is attacked;The second module being associated with the first module whether is recorded in retrieval attack protection list item;If
Then characteristic information to be sent into the second module so that the second module according to characteristic information to receiving and characteristic information phase
The message of matching is on the defensive process.So as to during attack protection, by the linkage defense between correlation module, significantly
The defence capability of equipment is improve, and reduces intermodule communication, so as to effectively alleviate system burden, improve resource
Utilization rate and Consumer's Experience.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below by institute in the description to the embodiment of the present invention
The accompanying drawing that needs are used is briefly described, it should be apparent that, drawings in the following description are only some enforcements of the present invention
Example, for those of ordinary skill in the art, without having to pay creative labor, can be with according to these accompanying drawings
Obtain other accompanying drawings.
The step of Fig. 1 is a kind of attack defense method embodiment of present invention flow chart;
Fig. 2 is a kind of structured flowchart of attack defending device embodiment of the invention;
Fig. 3 is a kind of structured flowchart of attack defending device embodiment of the invention.
Specific embodiment
It is understandable to enable the above objects, features and advantages of the present invention to become apparent from, it is below in conjunction with the accompanying drawings and concrete real
The present invention is further detailed explanation to apply mode.
At present, the quantity of network attack day by day increases with species, and in prior embodiment, the network equipment is not for of the same race
The attack of class typically takes specific aim means to carry out attack defending.For example:ARP anti-fraud, ping attack protections, DHCP are anti-hungry to death
Attack and ICMP protocol massages speed limits etc..In prior embodiment, by driving side and/or each module pair of platform side
Different types of attack is on the defensive, so as to ensure the safety of the network equipment.
But, due to prior embodiment in each intermodule attack protection process be separate, thus occur
Each intermodule linkage is poor, causes, when the attack that multiple modules are subject to identical attacker to send, to be required to enter attack message
Row identification, then the process that is on the defensive, hence it is evident that increased facility load.Also, there is likely to be in prior embodiment cannot
The situation that attack is accurately identified, for example:When the network equipment is subject to ICMP attack, because driving side defense module is arranged
There is speed limit defense function, then driving side defense module is by message rate-limiting.When the message after speed limit reaches platform side, due to platform
The threshold value that the message that side joint is received may be attacked without departing from land identification, then the related defense module of platform side will be unable to effectively knowledge
Do not go out the attack, in that case, go out to attack because the defense module of platform side is unidentified, then platform can be to the attack message
Processed accordingly (process herein from it is previously described defence process it is different, refer to normal condition lower platform side to message
Response is processed), thus, the waste of CPU and memory source is result in, while can also affect the treatment effeciency of other messages.
For the problems referred to above, one of the core concepts of the embodiments of the present invention is to propose a kind of attack defense method and dress
Put, to effectively improve the attack defending ability of resource utilization and equipment.
With reference to Fig. 1, flow chart the step of show a kind of attack defense method embodiment of the present invention specifically can include
Following steps:
Step 101, receives the defence message from the first module, defends to carry the feature attacked for description in message
Information.
Specifically, the attack defense method in the embodiment of the present invention is applied in the network equipment, the network equipment include but not
It is limited to:The equipment such as router, switch.Driving side and/or platform side in the network equipment includes what is attacked for different type
One or more defense modules.For example:ICMP modules or DHCP modules.
First module is detected to the message for receiving, in one embodiment of the invention, if the detection of the first module
Under attack to itself, then the first module sends defence message to attack protection module, has notified that attack protection module itself is attacked
Hit.Wherein, defend to carry the characteristic information attacked for description in message.In another embodiment of the present invention, user
Can the characteristic information that description is attacked be set manually in the first module, therefore, in this embodiment, the first module is to attack protection
The characteristic information attacked for description that user is arranged manually can also be carried in the defence message that module sends.The present invention's
In embodiment, characteristic information is included but is not limited to:Address information (the address letter of address information and object of attack including attacker
Breath), interface message under fire, attack type and ageing time.In another embodiment of the present invention, due to some moulds
Block, for example:The ICMP modules of driving side, None- identified goes out the address information of attacker when under attack, is only capable of judging current
Itself is under attack, therefore, can only carry for describing attack type in the defence message that the module is reported to defense module
And the characteristic information of ageing time.
In an embodiment of the present invention, attack protection module is only to make those of ordinary skill in the art be better understood from this
Bright, the function that the module is realized can be realized by operational blocks which partition system or software in the network equipment etc., and the present invention is not limited this.
Whether step 102, in retrieval attack protection list item the second module being associated with the first module is recorded.
Specifically, in an embodiment of the present invention, attack protection module is by institute in the locally stored attack protection list item of retrieval
The content of record, determines in the network equipment with the presence or absence of the second module being associated with the first module.
Step 103, if so, then by characteristic information is sent to the second module, so that the second module is docked according to characteristic information
What is received is on the defensive process with the message that characteristic information matches.
Specifically, if defense module retrieves the second module that presence is associated with the first module in the network equipment, will
The characteristic information for getting is sent to the second module, so that the second module can further be defendd according to this feature information
Process.
Second module receives the characteristic information that defense module is sent, and characteristic information is stored in into local defence list item
In.Second module can be according to the characteristic information recorded in local defence presentation, so as to match with characteristic information to receiving
Message be on the defensive process.Defence processes and the defence such as includes being identified attack message and abandons and process, and specifically defends
Processing procedure can realize that the present invention is repeated no more to this by anti-attacking technology of the prior art.
In sum, technical scheme provided in an embodiment of the present invention, by receiving the defence message from the first module, prevents
The characteristic information attacked for description is carried in imperial message;Whether record related to the first module in retrieval attack protection list item
Second module of connection;If so, then characteristic information is sent into the second module so that the second module according to characteristic information to receiving
Be on the defensive process with the message that characteristic information matches.So as to during attack protection, by between correlation module
Linkage defense, is greatly improved the defence capability of equipment, and reduces intermodule communication, so as to effectively alleviate system
Burden, improves resource utilization and Consumer's Experience.
In a preferred embodiment of the invention, before step 101 beginning, method also includes:Attack protection module
The registration request and the association request from the second module from the first module is received, wherein, mark is carried in registration request
Know the first identification information of the first module, the second identification information of the second module of mark is carried in association request, and associate
Ask for indicating that the second module is associated with the first module.Then, attack protection module marks the first identification information and second
In knowledge information correspondence write attack protection list item.
In a preferred embodiment of the invention, after step 101, method also includes:Attack protection module will connect
The characteristic information write attack protection list item carried in the defence message for receiving.Also, in the attack protection list item, characteristic information pair
Should be in the first identification information and the second identification information.
In a preferred embodiment of the invention, after step 102, method also includes:If attack protection module connects
The attack releasing message from the first module is received, then deletes characteristic information corresponding with the attack in attack protection list item, and led to
Know that the second module stops processing the corresponding defence of current attack.
In a preferred embodiment of the invention, after step 102, method can also include:Attack protection module
By recording in the local attack protection presentation of inquiry and the corresponding ageing time of attack, after the ageing time, deleting anti-
Characteristic information corresponding with the attack in list item is attacked, and notifies that the second module stops to the corresponding defence of current attack
Reason.
In order to be better understood from the attack defense method of the present invention, it is described in detail with specific embodiment below.
(1) illustrated in detail by taking ICMP attack protections as an example.
ICMP attack protections have respectively corresponding module, in the present embodiment, driving side in driving side and platform side
ICMP attack protection modules are referred to as ICMP1 modules, and the ICMP attack protection modules of platform side are referred to as ICMP2 modules.
When user completes in the network device ICMP attack protections with postponing, ICMP1 modules are activated with ICMP2 modules, and
Registration request is sent to attack protection module.In an embodiment of the present invention, the defence mould being activated (complete attack protection setting)
Block can send registration request to attack protection module.Wherein, registration request includes the identification information for identifying defense module.
In the present embodiment, the first identification information is carried in the registration request that ICMP1 modules send to attack protection module, first mark
Knowledge information is used to identify ICMP1 modules, so that attack protection module unique identification goes out ICMP1 modules, the first identification information includes
But it is not limited to:The title and module I D of ICMP1 modules.The logon message of ICMP2 modules is similar with ICMP1 modules, herein not
Repeat.Attack protection module is received after registration request, obtains identification information therein, and writes locally stored attack protection list item
In.
User according to the actual requirements, expect ICMP1 modules and ICMP2 modules realize linkage defense, i.e. ICMP1 modules with
ICMP2 modules strong correlation module each other, then user can in the network device specify ICMP2 modules to be associated with ICMP2 modules.
ICMP2 can send association request, to be associated with ICMP1 modules according to user instruction to attack protection module.Wherein, associate
Title and module I D of ICMP2 modules etc. are carried in request for identifying the identification information of ICMP2 modules.Attack protection module connects
After receiving association request, the identification information of the ICMP2 modules got from association request is write into attack protection list item, and correspondence
In the identification information of ICMP1 modules.
When attacker initiates ICMP attack to the network equipment, because the ICMP1 modules of driving side are bottom module, then net
The ICMP1 modules of driving side have precedence over the ICMP2 modules of platform side and receive the attack message in network equipment.ICMP1 is received
After ICMP attack message, will detect that currently itself is being subject to ICMP attack.Specific detection method can pass through prior art
Realize, for example:The attack message for receiving exceedes threshold value etc., and the present invention is not limited this.
ICMP1 modules detected and be currently subject to after ICMP attack, because the module does not have further identification attack
Function, then ICMP1 modules only speed limit process is carried out to attack message.Illustrate:When attacker A sends to the network equipment
1000 attack messages, while domestic consumer B and domestic consumer C is sending normal message, message amount difference to the network equipment
For 100, then when ICMP1 modules receive 1200 messages, the quantity has exceeded threshold value.ICMP1 modules confirm currently
By ICMP attack.But, due to functional specification, ICMP1 modules cannot be confirmed in 1200 messages being currently received, which
Message belongs to the message of attacker's transmission, and which is the normal message that domestic consumer sends.Therefore, ICMP1 modules are only to receiving
To message carry out speed limit process.In the present embodiment, so that speed limit is 200/s as an example.
ICMP1 modules send anti-after itself is detected by ICMP attack to the attack protection module in the network equipment
Imperial message.Carry in defence message attack type (in the present embodiment be ICMP attack), interface message under fire, it is aging when
Between (in the present embodiment be 20s) etc. for describing the characteristic information of ICMP attack.
Attack protection module is received after the defence message, obtains the characteristic information of its carrying, and is write locally stored anti-
In attacking list item.Meanwhile, whether record the module being associated with ICMP1 modules in attack protection module retrieval attack protection list item.
Jing is retrieved, and attack protection module determines that the module being associated with ICMP1 modules is ICMP2 modules.Attack protection module is to ICMP2 modules
Notice message is sent, informing the current ICMP1 modules of ICMP2 modules just under attack, so that ICMP2 modules are to receiving
Message is on the defensive process.Also, the characteristic information for being described the ICMP attack, i.e. attack type are carried in notice message, is connect
The characteristic information such as message breath and ageing time.The characteristic information for receiving is write locally stored defence list item by ICMP2 modules
In, for subsequently using.In other embodiments, the identification information of ICMP1 modules can also be carried in notice message, this
It is bright that this is not limited.
Specifically, Jing after ICMP1 module speed limits, message is sent to the ICMP2 modules of platform side with the speed of 200/s.
ICMP2 modules are opened defence and are processed after 200 messages are received, and attack recognition are carried out to 200 messages, to identify it
In whether carry attacker transmission message.Illustrate:If in 200 messages, including what 100 attackers sent
ICMP attack message, 100 common messages, then in the embodiment of prior art, it is assumed that the threshold value of setting is in ICMP2 modules
When 110, i.e. certain message are more than 110, then start defence and process.Therefore, 100 are only included in 200 messages after speed limit
Bar attack message, and in the case that the quantity of attack message is not less than the threshold value in ICMP2 modules, ICMP2 modules will not be right
200 messages carry out any defence process, but directly carry out follow-up processing procedure.
In an embodiment of the present invention, because ICMP2 modules have been received by the notice message that attack protection module sends,
And record has the characteristic information related to ICMP attack in locally stored defence list item.ICMP2 modules are receiving speed limit
After 200 messages afterwards, i.e., be on the defensive process to 200 messages, identifies attack message and abandons the message.Concrete defence
Processing method can be realized by prior art, do not repeated herein.
ICMP2 modules are after the process that is on the defensive to the message for receiving, you can get the detailed features that description is attacked
Information, for example:The characteristic informations such as the address information (IP address and MAC Address) of attacker.ICMP2 modules equally can be to attack protection
Module sends defence message, carry that ICMP2 modules get in the defence message with the corresponding characteristic information of attack.
Attack protection module receives and obtains this feature information, and this feature information is write in attack protection list item, then now
The characteristic information related to ICMP attack recorded in attack protection list item includes:It is the address information of attacker, attack type, aging
The more specifically characteristic information such as time.
Attack protection module is retrieved again, confirms that the module being associated with ICMP2 modules is ICMP1 modules.Attack protection module
ICMP1 modules are notified, and characteristic information is sent into ICMP1 modules.Detail is similar with above-mentioned steps, does not go to live in the household of one's in-laws on getting married herein
State.
ICMP1 modules are received after characteristic information, and characteristic information is written in locally stored defence list item, and according to
The characteristic information recorded in defence list item is on the defensive process to attack message.Specifically, ICMP1 modules can be according to defence list item
In address information corresponding with characteristic information, message corresponding with the address information (as attacker send message) is lost
Abandon.Because the ICMP1 modules of driving side all abandon attack message, therefore, the ICMP2 modules of platform side will not connect again
Attack message is received, so as to alleviate the burden of platform side, the system burden of the network equipment is further mitigated, resource is improve
Utilization rate and Consumer's Experience.
In an embodiment of the present invention, ICMP1 modules will release ICMP defence and process after all attack messages are abandoned,
And send attack releasing message to attack protection module.Attack protection module releases message according to the attack for receiving, and deletes attack protection
Corresponding characteristic information in list item.Meanwhile, attack protection module sends to attack to release to ICMP2 modules and notifies, to notify ICMP2 moulds
Block stops current defence and processes.ICMP2 modules receive the attack and release notice, because ICMP1 modules enter attack message
Row is abandoned, therefore ICMP2 modules currently do not receive any attack message, i.e. ICMP2 modules and currently do not carry out any defence process.
ICMP2 modules only delete the content corresponding with ICMP attack recorded in locally stored defence list item.
In another embodiment of the present invention, if ICMP1 modules are abandoning all attack messages from attacker
Afterwards, the attacker still persistently sends attack message, then ICMP1 modules will not ICMP release defence process, and be to continue with docking
The attack message for receiving carries out discard processing.When attack protection module detects current ageing time (this for exceeding ICMP attack
It is 20s in embodiment), then attack protection module will delete the characteristic information corresponding with ICMP attack recorded in attack protection list item,
And notify that ICMP2 modules stop defence and process.Because ICMP1 modules are currently still subject to ICMP attack, therefore ICMP1 modules can be again
It is new to send defence message to attack protection module, with ICMP2 modules to set up linkage defense relation again.
(2) illustrated in detail by taking AAA attack protections and PPPOE attack protections as an example.
When user completes in the network device AAA attack protections with postponing, AAA modules are activated, and send out to attack protection module
Send registration request.PPPOE and AAA are set to strong correlation module, i.e. PPPOE modules by user please to the transmission association of attack protection module
Ask, to be associated with AAA modules.
Attack protection module is by the AAA modules locally stored attack protection list item of write corresponding with the identification information of PPPOE modules
In.
When attacker initiates AAA to the network equipment to be attacked, AAA modules detect that itself is under attack, and identify and attack
The characteristic information for hitting.It is different from the ICMP1 modules in above-described embodiment, AAA modules can Direct Recognition go out the address of attacker
The characteristic informations such as information, the then characteristic information that AAA gets includes:The address information of attacker, destination address information, attack class
The characteristic informations such as type, interface message under fire, ageing time.
AAA to attack protection module sends defence message, and defends in message to carry features described above information.Attack protection mould
Block obtains the characteristic information in defence message, and this feature information is written in attack protection list item.
Attack protection module is by retrieving attack protection list item, it is determined that the module being associated with AAA modules is IPOE modules.It is anti-to attack
Hit module to IPOE modules send notice message, carry in notice message in attack protection list item record it is corresponding with IPOE attacks
Characteristic information.
IPOE modules receive the notice message, obtain characteristic information therein, and write in local defence list item.With
Afterwards, IPOE can identify message corresponding with the address information of the attacker in characteristic information according to the content in defence list item,
The message that then IPOE modules directly can send the attacker is all abandoned.Because IPOE modules abandon the whole from attacker
Message, attacker will disconnect certification and be connected with the network equipment, therefore, AAA modules will not receive again any from the attacker
Message, so as to alleviate the burden of the module, further mitigate the burden of the network equipment.Detail in the present embodiment
And subsequent process is similar to the above embodiments, here is omitted.
(3) in one embodiment of the invention, user, can be first when attack protection configuration is carried out to the first module
It is provided for manually describing the characteristic information attacked in module, for example:User can arrange blacklist, black name in the first module
Address and the other information for having attacker is can record in list.After first module is activated, sending registration to attack protection module please
Ask.First module and the second module are set to strong correlation module, i.e. the first module by user please to the transmission association of attack protection module
Ask, to be associated with the second module.
Attack protection module is by the first module locally stored attack protection list item of write corresponding with the identification information of the second module
In.
First module to attack protection module sends defence message, and defends in message to carry the spy recorded in blacklist
Reference ceases.Attack protection module obtains the characteristic information in defence message, and this feature information is written in attack protection list item.
Attack protection module is by retrieving attack protection list item, it is determined that the module being associated with the first module is the second module.It is anti-
Attack module to send to the second module from the characteristic information of the first module.
Second module receives characteristic information, and by the local defence list item of characteristic information write.Subsequently, when the second module connects
The message with this feature information match is received, that is, belongs to the message that the attacker in blacklist sends, then the second module can
Directly such message is all abandoned.So that the second module is not used in being identified attack message, this is effectively alleviated
The burden of module, further mitigates the burden of the network equipment.Detail and subsequent process in the present embodiment with it is above-mentioned
Embodiment is similar to, and here is omitted.
Based on the inventive concept same with said method, the embodiment of the present invention also provides a kind of attack defending device, application
In the network device.The attack defending device can be realized by software, it is also possible to by hardware or the side of software and hardware combining
Formula is realized.It is the process by its routing device being located as the device on a logical meaning as a example by implemented in software
Device, corresponding computer program instructions are formed in reading non-volatile storage.From for hardware view, except processor,
Outside nonvolatile memory, routing device can also include other hardware, be such as responsible for the forwarding chip of process message, network and connect
Mouth, internal memory etc.;For from hardware configuration, the routing device is also possible to be distributed apparatus, potentially includes multiple interface cards, with
Just the extension of Message processing is carried out in hardware view
With reference to Fig. 2, a kind of structured flowchart of the embodiment of attack defending device 200 of the invention is shown, specifically can be wrapped
Include such as lower module:
First receiver module 201, for receiving the defence message from the first module, carries for retouching in defence message
State the characteristic information of attack.
Retrieval module 202, for retrieving attack protection list item in whether record the second module being associated with the first module.
Sending module 203, for if so, then characteristic information being sent into the second module, so that the second module is according to feature
What information butt joint was received is on the defensive process with the message that characteristic information matches.
With reference to Fig. 3, in one embodiment of the invention, on the basis of Fig. 2, attack defending device 200 can also be wrapped
Include:
Second receiver module 204, for receiving the registration request from the first module and the association from the second module
Request, wherein, the first identification information of the first module of mark is carried in registration request, mark second is carried in association request
Second identification information of module, and association request be used for indicate the second module be associated with the first module.
Writing module 205, for the first identification information and the second identification information correspondence to be write into attack protection list item.
In one embodiment of the invention, writing module 205 can be further used for for characteristic information writing attack protection
List item.
With continued reference to Fig. 3, in one embodiment of the invention, attack defending device 200 also includes:
Notification module 206, if the attack for receiving from the first module releases message, in deleting attack protection list item
Characteristic information, and notify the second module stop defence process.
In one embodiment of the invention, notification module 206 can be further used for through corresponding with attack old
After the change time, the characteristic information in attack protection list item is deleted, and notify that the second module stops defence and processes.
In one embodiment of the invention, the characteristic information bag carried in the first message that the first receiver module is received
Include at least one of:Address information, interface message, attack type, ageing time.
In sum, attack defending device provided in an embodiment of the present invention, by receiving the defence report from the first module
Text, defends to carry the characteristic information attacked for description in message;Whether record and the first mould in retrieval attack protection list item
The second associated module of block;If so, then characteristic information is sent into the second module, so that the second module is according to characteristic information pair
What is received is on the defensive process with the message that characteristic information matches.So as to during attack protection, by correlation module
Between linkage defense, the defence capability of equipment is greatly improved, and reduce intermodule communication, so as to effectively mitigate
System burden, improves resource utilization and Consumer's Experience.
For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, it is related
Part is illustrated referring to the part of embodiment of the method.
Each embodiment in this specification is described by the way of progressive, what each embodiment was stressed be with
The difference of other embodiment, between each embodiment identical similar part mutually referring to.
Those skilled in the art are it should be appreciated that the embodiment of the embodiment of the present invention can be provided as method, device or calculate
Machine program product.Therefore, the embodiment of the present invention can using complete hardware embodiment, complete software embodiment or with reference to software and
The form of the embodiment of hardware aspect.And, the embodiment of the present invention can using wherein include computer at one or more can
With in the computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of program code
The form of the computer program of enforcement.
The embodiment of the present invention is with reference to method according to embodiments of the present invention, terminal installation (system) and computer program
The flow chart and/or block diagram of product is describing.It should be understood that can be by computer program instructions flowchart and/or block diagram
In each flow process and/or square frame and flow chart and/or the flow process in block diagram and/or square frame combination.These can be provided
Computer program instructions are to all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing terminal dresses
The processor put is producing a machine so that held by the processor of computer or other programmable data processing terminal devices
Capable instruction is produced for realizing in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames
The device of the function of specifying.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing terminal devices
In the computer-readable memory for working in a specific way so that the instruction being stored in the computer-readable memory produces bag
The manufacture of command device is included, the command device is realized in one side of one flow process of flow chart or multiple flow processs and/or block diagram
The function of specifying in frame or multiple square frames.
These computer program instructions also can be loaded on computer or other programmable data processing terminal devices so that
On computer or other programmable terminal devices perform series of operation steps to produce computer implemented process, so as to
The instruction performed on computer or other programmable terminal devices is provided for realizing in one flow process of flow chart or multiple flow processs
And/or specify in one square frame of block diagram or multiple square frames function the step of.
Although having been described for the preferred embodiment of the embodiment of the present invention, those skilled in the art once know base
This creative concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to
Including preferred embodiment and fall into having altered and changing for range of embodiment of the invention.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by
One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation
Between there is any this actual relation or order.And, term " including ", "comprising" or its any other variant meaning
Covering including for nonexcludability, so that a series of process, method, article or terminal installation including key elements is not only wrapped
Those key elements are included, but also including other key elements being not expressly set out, or also include for this process, method, article
Or the key element that terminal installation is intrinsic.In the absence of more restrictions, by wanting that sentence "including a ..." is limited
Element, it is not excluded that also there is other identical element in the process including the key element, method, article or terminal installation.
Above to a kind of attack defense method provided by the present invention and device, it is described in detail, it is used herein
Specific case is set forth to the principle and embodiment of the present invention, and the explanation of above example is only intended to help and understands
The method of the present invention and its core concept;Simultaneously for one of ordinary skill in the art, according to the thought of the present invention, in tool
Will change in body embodiment and range of application, in sum, this specification content should not be construed as to the present invention
Restriction.
Claims (12)
1. a kind of attack defense method, it is characterised in that include:
The defence message from the first module is received, the defence message carries the characteristic information attacked for description;
The second module being associated with first module whether is recorded in retrieval attack protection list item;
If so, then the characteristic information is sent into second module, so that second module is according to the characteristic information
The message matched with the characteristic information to receiving is on the defensive process.
2. method according to claim 1, it is characterised in that in the step for receiving the defence message from the first module
Before rapid, also include:
The registration request and the association request from the second module from the first module is received, wherein, in the registration request
The first identification information for identifying first module is carried, the of mark second module is carried in the association request
Two identification informations, and the association request be used for indicate that second module is associated with first module;
By first identification information and second identification information correspondence write attack protection list item.
3. method according to claim 2, it is characterised in that the step of receiving from the defence message of the first module it
Afterwards, also include:
The characteristic information is write into the attack protection list item.
4. method according to claim 3, it is characterised in that described that the characteristic information is sent into second module
The step of after, also include:
If receiving the attack releasing message from first module, the feature letter in the attack protection list item is deleted
Breath, and notify that second module stops the defence and processes.
5. method according to claim 3, it is characterised in that described that the characteristic information is sent into second module
The step of after, also include:
Through after the corresponding ageing time of the attack, the characteristic information in the attack protection list item is deleted, and led to
Know that second module stops the defence and processes.
6. the method according to any one of claim 1-5, it is characterised in that the characteristic information include it is following at least it
One:
Address information, interface message, attack type, ageing time.
7. a kind of attack defending device, it is characterised in that include:
First receiver module, for receiving the defence message from the first module, carries for describing in the defence message
The characteristic information of attack;
Retrieval module, for retrieving attack protection list item in whether record the second module being associated with first module;
Sending module, for if so, then the characteristic information being sent into second module so that second module according to
The characteristic information is on the defensive process to the message matched with the characteristic information for receiving.
8. device according to claim 7, it is characterised in that described device also includes:
Second receiver module, for receiving registration request and the association request from the second module from the first module, its
In, the first identification information for identifying first module is carried in the registration request, mark is carried in the association request
Know the second identification information of second module, and the association request is used to indicate second module with first mould
Block is associated;
Writing module, for first identification information and second identification information correspondence to be write into the attack protection table
.
9. device according to claim 8, it is characterised in that said write module is further used for the characteristic information
Write the attack protection list item.
10. device according to claim 9, it is characterised in that described device also includes:
Notification module, if the attack for receiving from first module releases message, deletes the attack protection list item
In the characteristic information, and notify that second module stops the defence and processes.
11. devices according to claim 9, it is characterised in that the notification module be further used for through with it is described
After attacking corresponding ageing time, the characteristic information in the attack protection list item is deleted, and notify that second module is stopped
The only defence is processed.
12. devices according to any one of claim 7-12, it is characterised in that the institute that first receiver module is received
Stating the characteristic information carried in defence message includes at least one of:
Address information, interface message, attack type, ageing time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610905498.5A CN106656975B (en) | 2016-10-18 | 2016-10-18 | Attack defense method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610905498.5A CN106656975B (en) | 2016-10-18 | 2016-10-18 | Attack defense method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106656975A true CN106656975A (en) | 2017-05-10 |
CN106656975B CN106656975B (en) | 2020-01-24 |
Family
ID=58855376
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610905498.5A Active CN106656975B (en) | 2016-10-18 | 2016-10-18 | Attack defense method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106656975B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110191104A (en) * | 2019-05-10 | 2019-08-30 | 新华三信息安全技术有限公司 | A kind of method and device of security protection |
CN110519265A (en) * | 2019-08-27 | 2019-11-29 | 新华三信息安全技术有限公司 | A kind of method and device of defensive attack |
CN113225334A (en) * | 2021-04-30 | 2021-08-06 | 中国工商银行股份有限公司 | Terminal security management method and device, electronic equipment and storage medium |
CN113746800A (en) * | 2021-07-29 | 2021-12-03 | 北京七壹技术开发有限公司 | Intelligent multi-platform cooperative defense method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1791021A (en) * | 2005-12-21 | 2006-06-21 | 杭州华为三康技术有限公司 | Intrusion detecting system and network apparatus linking system and method |
CN102571786A (en) * | 2011-12-30 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method for linkage defense among multiple safety modules in firewall and firewall |
CN103491076A (en) * | 2013-09-09 | 2014-01-01 | 杭州华三通信技术有限公司 | Method and system for defending against network attacks |
CN105871775A (en) * | 2015-01-19 | 2016-08-17 | 中国移动通信集团公司 | Security protection method and DPMA protection model |
-
2016
- 2016-10-18 CN CN201610905498.5A patent/CN106656975B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1791021A (en) * | 2005-12-21 | 2006-06-21 | 杭州华为三康技术有限公司 | Intrusion detecting system and network apparatus linking system and method |
CN102571786A (en) * | 2011-12-30 | 2012-07-11 | 深信服网络科技(深圳)有限公司 | Method for linkage defense among multiple safety modules in firewall and firewall |
CN103491076A (en) * | 2013-09-09 | 2014-01-01 | 杭州华三通信技术有限公司 | Method and system for defending against network attacks |
CN105871775A (en) * | 2015-01-19 | 2016-08-17 | 中国移动通信集团公司 | Security protection method and DPMA protection model |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110191104A (en) * | 2019-05-10 | 2019-08-30 | 新华三信息安全技术有限公司 | A kind of method and device of security protection |
CN110519265A (en) * | 2019-08-27 | 2019-11-29 | 新华三信息安全技术有限公司 | A kind of method and device of defensive attack |
CN113225334A (en) * | 2021-04-30 | 2021-08-06 | 中国工商银行股份有限公司 | Terminal security management method and device, electronic equipment and storage medium |
CN113746800A (en) * | 2021-07-29 | 2021-12-03 | 北京七壹技术开发有限公司 | Intelligent multi-platform cooperative defense method and system |
Also Published As
Publication number | Publication date |
---|---|
CN106656975B (en) | 2020-01-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9110703B2 (en) | Virtual machine packet processing | |
CN105474602B (en) | The method, apparatus and equipment of attack stream are identified in software defined network | |
CN104468624B (en) | SDN controllers, routing/exchanging equipment and network defense method | |
CN106656975A (en) | Attack defense method and attack defense device | |
CN103609089B (en) | A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet | |
CN108134748B (en) | Packet loss method and device based on fast forwarding table entry | |
CN104660565A (en) | Hostile attack detection method and device | |
WO2020143119A1 (en) | Method, device and system for defending internet of things against ddos attack, and storage medium | |
JPWO2005036831A1 (en) | Frame relay device | |
CN106101011B (en) | message processing method and device | |
CN104601568A (en) | Virtual security isolation method and device | |
US10536480B2 (en) | Method and device for simulating and detecting DDoS attacks in software defined networking | |
US20110026529A1 (en) | Method And Apparatus For Option-based Marking Of A DHCP Packet | |
WO2008131658A1 (en) | Method and device for dhcp snooping | |
CN108429731A (en) | Anti-attack method, device and electronic equipment | |
CN108965263A (en) | Network attack defence method and device | |
CN106911724A (en) | A kind of message processing method and device | |
JP2022500957A (en) | Packet processing | |
CN111049782B (en) | Protection method, device, equipment and system for rebound network attack | |
CN111740943B (en) | Anti-attack method, device, equipment and machine readable storage medium | |
TW201535141A (en) | Network device and method for avoiding ARP attacks | |
CN104506559B (en) | DDoS defense system and method based on Android system | |
US10838942B2 (en) | Network control software notification and invalidation of static entries | |
WO2019096104A1 (en) | Attack prevention | |
CN107690004A (en) | The processing method and processing device of address analysis protocol message |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230625 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |